Max-severity Java security exploit plugged

But security experts warn that it could take two years for Oracle to fix Javas remaining vulnerabilities.

Oracle has released a security update to the Java security
vulnerabilities that
emerged on Friday, but not without further damage to the
language’s reputation.

Having been discovered and unleashed into the world by the
‘Blackhole’ exploit kit, which can be used to quickly convert a
compromised website into a malware launchpad, the vulnerabilities
have since received a CVSS score of 10.0 – the
maximum severity rating possible.

The exploit is considered so dangerous that even the Department of
Homeland Security got involved, posting
a bulletin recommending that Java be disabled in web browsers
“due to the number and severity of this and prior Java
vulnerabilities”.

Oracle’s emergency update provides fixes for two vulnerabilities
being exploited in the wild, CVE-2013-0422 and CVE-2012-3174, and
switches security setting to the highest level by default –
requiring users to explicitly accept unsigned applets.

In the previous minor update, Oracle introduced a simple control
for disabling Java in the browser, and this change to its default
settings could be seen as a further admission of Java’s seemingly
unending security woes.

An accompanying blog post opens with some
damage control, reminding that the vulnerabilities “do not affect
Java on servers, Java desktop applications, or embedded
Java”.

While the vulnerabilities exploited by Blackhole appear to have
been plugged,
Reuters were told by corporate security company Rapid7 that
Java is still riddled with so many known security issues that it
“could take two years” to fix.

“The safest thing to do at this point is just assume that Java is
always going to be vulnerable,” said the company’s chief security
officer. “Folks don’t really need Java on their desktop.”